Dive into the murky world of cyber espionage and other growing threats that managed service providers – and their customers, face
ESET telemetry from Q4 2022 kicks off a new campaign by muddy watera cyber espionage group associated with the Iranian Ministry of Intelligence and Security (MOIS) and active since at least 2017. The group (mainly) targets victims in the Middle East, Asia, Africa, Europe and North America, with a focus on telecommunication companies, government organizations, and oil & gas and energy verticals.
For readers interested in MSP, what stood out in their October 2022 campaign were four victims, three in Egypt and one in Saudi Arabia, compromised through abuse Simple Help, authorized remote access tools (RAT) and remote support software used by MSPs. This development signifies the importance of visibility for MSPs. In deploying hundreds or even thousands of types of software there is no choice but to use automation and ensure that the SOC team, customer-facing security admins, and detection and response processes are mature and continuously improving.
A good tool for bad guys?
ESET research found that when SimpleHelp was on the victim’s disk, the MuddyWater operator was deployed Neck, a reverse tunnel, to connect the victim’s system to their Command and Control (C&C) server. How and when MuddyWater acquired MSP tools or entered the MSP environment is unknown. We have contacted MSP.
While this campaign continues, MuddyWater’s use of SimpleHelp has so far managed to obfuscate the MuddyWater C&C servers – the command to start Ligolo from SimpleHelp has yet to catch on. Regardless, we can already note that operator MuddyWater is also pushing MiniDump (an lsass.exe dumper), CredNinjaand new version of MKL64 group password dumper.
In late October 2022, ESET detected MuddyWater applying a special backtunnel tool to the same victim in Saudi Arabia. Even if the goal isn’t immediately apparent, the analysis continues, and progress can be tracked on us Personal APT reports.
Along with using MiniDump to obtain credentials from Local Security Authority Subsystem Service (LSASS) dumps and leveraging the CredNinja penetration testing tool, MuddyWater employs other tactics and techniques, for example, using the popular MSP tool from ConnectWise to gain access to the victim’s system.
ESET also tracks other techniques connected to the group, such as steganography, which obfuscates data in digital media such as images, audio tracks, video clips or text files. 2018 Report from ClearSky Cyber Security, MuddyWater operations in Lebanon and Omanalso documented this use, sharing hashes for malware hidden in some fake resumes – MyCV. doc. ESET detected malware disguised as VBA/TrojanDownloader.Agent.
While four years have passed since the publication of the ClearSky report, and ESET’s detection volume dropped from seventh (with 3.4%) in their Q3 2021 Threat Report to their most recent ranking of “last” (with 1.8%) in their T3 Threat Report 2022, VBA/TrojanDownloader.Agent remains in our top 10 malware detection charts.
VBA macro attack take advantage of maliciously crafted Microsoft Office files and attempt to manipulate users (including employees and MSP clients) to enable macro execution. When enabled, attached malicious macros usually download and run additional malware. These malicious documents are usually sent as email attachments disguised as important information relevant to the recipient.
A call to action for MSPs and companies
MSP admins, who configure leading productivity tools such as Microsoft Word/Office 365/Outlook, control the threat vectors that bring threats to the networks they manage. Simultaneously, SOC team members may or may not have their own properly configured EDR/XDR tools to identify whether APTs such as MuddyWater or criminal entities are attempting to utilize techniques, including steganography, to access their own systems or client systems.
MSP needs both trusted network connectivity and privileged access to the customer system to provide services; this means they collect risk and responsibility for a large number of clients. Importantly, clients can also inherit risks from their chosen MSP environment and activities. This has shown XDR to be an important tool in providing visibility into their own environment and customer endpoints, devices, and networks to ensure that emerging threats, risky employee behavior, and unwanted applications do not jeopardize their bottom line or reputation. The operation of mature XDR tools by MSPs also communicates their active role in providing a special layer of security for the privileged access granted to them by clients.
When mature MSPs manage XDR, they are in a much better position to deal with a wide variety of threats, including APT groups that may seek to capitalize on their clients’ position in the physical and digital supply chain. As defenders, SOC teams and MSP admins carry a double burden, maintaining internal visibility and visibility into the client network. Clients should be mindful of their MSP’s security stance and understand the threats they face, lest compromising their provider lead to compromising themselves.